File name:	wxbase328u_vc_x64_custom.dll
Full analysis:	https://app.any.run/tasks/1bb062a4-a62a-4f58-961c-675306a82366
Verdict:	Malicious activity
Threats:	Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	June 07, 2025, 10:15:20
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	stealer websocket rhadamanthys shellcode
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows, 8 sections
MD5:	E00CFE72967DF9F730058D97AA51026C
SHA1:	8DCB6085765895DC07D2C9B82AB5B82161746EE1
SHA256:	43E9C21955277B99734960070D02A94EF00F943D35C2B5931BAF75D28105F787
SSDEEP:	98304:pU7RZrE7Tf0Pu0/Pd4TaaUaiLm+1mHdTau7fJo6o9d0/H95r62o/UyZnAsT/VoYq:A

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2025:06:07 02:01:40+00:00
ImageFileCharacteristics:	Executable, Large address aware, DLL
PEType:	PE32+
LinkerVersion:	14.42
CodeSize:	1753088
InitializedDataSize:	2157056
UninitializedDataSize:	428544
EntryPoint:	0x6bcd8
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	4.74.628.3
ProductVersionNumber:	4.74.628.3
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	Erayipenidakizuhokeyi
ProductName:	Osudutinobaxek
FileDescription:	Umezakaro Uyaxebefuwagifimaya Apuyopogeviqetel Azaqiwogetoze Ecofonofuquzeqor Eguvagiseyicivu Opapekolocu Ijogazicicamizu.
FileVersion:	4.74.628.3
ProductVersion:	4.74.628.3
OriginalFileName:	Ohujarepu
InternalName:	Oyigucinefapelilelog
LegalCopyright:	© 2025 Erayipenidakizuhokeyi


(PID) Process:	(7012) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(7012) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(7012) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(7012) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(7012) chrome.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:	write	Name:	usagestats
Value: 0
(PID) Process:	(7012) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6632) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(6632) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(6632) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(6632) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\PrefsLightweight
Operation:	write	Name:	lw_76db65d65164bedb245fb237841744ea
Value: 101

PID	Process	Filename		Type
7012	chrome.exe	C:\Users\admin\AppData\Local\Temp\chrD818.tmp\Default\History-journal		—
		MD5:—	SHA256:—
7012	chrome.exe	C:\Users\admin\AppData\Local\Temp\chrD818.tmp\Default\Affiliation Database		binary
		MD5:ABD5F8EA3D9A79D25AD874145769B9FD	SHA256:50E624AB71E65F7BFF466E9066621F0EE85E87F74EACD85F1952433294E1C5FD
7012	chrome.exe	C:\Users\admin\AppData\Local\Temp\chrD818.tmp\Crashpad\settings.dat		binary
		MD5:5CCD3CDA4A9CD6901720F7817674A725	SHA256:022093965704ECD7FBFF9C577796B45714A6C0FC65DC3F1D444D73106197BEB0
7012	chrome.exe	C:\Users\admin\AppData\Local\Temp\chrD818.tmp\Variations		binary
		MD5:961E3604F228B0D10541EBF921500C86	SHA256:F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED
7012	chrome.exe	C:\Users\admin\AppData\Local\Temp\chrD818.tmp\Default\History		binary
		MD5:F310CF1FF562AE14449E0167A3E1FE46	SHA256:E187946249CD390A3C1CF5D4E3B0D8F554F9ACDC416BF4E7111FFF217BB08855
7012	chrome.exe	C:\Users\admin\AppData\Local\Temp\chrD818.tmp\Default\Sync Data\LevelDB\CURRENT		text
		MD5:46295CAC801E5D4857D09837238A6394	SHA256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
7012	chrome.exe	C:\Users\admin\AppData\Local\Temp\chrD818.tmp\Default\Sync Data\LevelDB\000001.dbtmp		text
		MD5:46295CAC801E5D4857D09837238A6394	SHA256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
7012	chrome.exe	C:\Users\admin\AppData\Local\Temp\chrD818.tmp\Default\Sync Data\LevelDB\MANIFEST-000001		binary
		MD5:5AF87DFD673BA2115E2FCF5CFDB727AB	SHA256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
7012	chrome.exe	C:\Users\admin\AppData\Local\Temp\chrD818.tmp\Default\README		text
		MD5:883D62ACD72005F3AD7A14500D482033	SHA256:C43668EEC4A8D88A5B3A06A84F8846853FE33E54293C2DB56899A5A5DFB4D944
7012	chrome.exe	C:\Users\admin\AppData\Local\Temp\chrD818.tmp\Default\Code Cache\wasm\index		binary
		MD5:54CB446F628B2EA4A5BCE5769910512E	SHA256:FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3760	RUXIMICS.exe	GET	200	23.216.77.30:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3760	RUXIMICS.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	89.110.87.119:443	https://api.goolagstalinmore.top/gateway/923tfch2.5pmk4	unknown	image	1.91 Mb	—
—	—	GET	—	142.250.185.67:443	https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=122	unknown	—	—	—
—	—	POST	200	74.125.206.84:443	https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	unknown	text	17 b	whitelisted
—	—	GET	—	142.250.185.174:443	https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=122.0.6261.70&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D0.0.0.0%26installedby%3Dinternal%26uc%26brand%3DGCEB%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DGCEB%26ping%3Dr%253D-1%2526e%253D1	unknown	—	—	—
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	GET	200	13.107.42.16:443	https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=7412167277153477172&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=0&mngd=0&installdate=1749291385&edu=0&bphint=2&soobedate=1504771245&fg=1	unknown	binary	839 b	whitelisted
—	—	GET	—	142.250.185.174:443	https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromiumcrx&prodchannel=&prodversion=122.0.2365.59&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D0.0.0.0%26installedby%3Dexternal%26uc	unknown	—	—	—
—	—	GET	—	150.171.27.11:443	https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1749291385&clientversion=122.0.2365.59&experimentationmode=2&scpguard=0&scpfull=0&scpver=0	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
3760	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3760	RUXIMICS.exe	23.216.77.30:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3760	RUXIMICS.exe	2.23.181.156:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
7376	aspnet_wp.exe	104.16.249.249:443	cloudflare-dns.com	CLOUDFLARENET	—	whitelisted
7376	aspnet_wp.exe	89.110.87.119:443	api.goolagstalinmore.top	RECONN LLC	RU	unknown
5760	OOBE-Maintenance.exe	185.252.140.125:123	pool.ntp.org	—	—	whitelisted
5760	OOBE-Maintenance.exe	94.198.159.14:123	ntp.time.nl	—	—	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
google.com	142.250.186.110	whitelisted
crl.microsoft.com	23.216.77.30 23.216.77.29 23.216.77.32 23.216.77.25 23.216.77.37 23.216.77.33 23.216.77.21 23.216.77.20 23.216.77.35	whitelisted
www.microsoft.com	2.23.181.156	whitelisted
cloudflare-dns.com	104.16.249.249 104.16.248.249	whitelisted
api.goolagstalinmore.top	89.110.87.119	unknown
ntp1.net.berkeley.edu	169.229.128.134	whitelisted
pool.ntp.org	185.252.140.125 128.140.37.196 217.91.44.17 185.41.106.152	whitelisted
time.google.com	216.239.35.0 216.239.35.8 216.239.35.12 216.239.35.4	whitelisted
ts1.aco.net	193.171.23.163	unknown

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
—	—	Generic Protocol Command Decode	SURICATA HTTP Host header invalid
—	—	Potentially Bad Traffic	ET INFO HTTP Request to a *.top domain
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request
—	—	Potentially Bad Traffic	ET INFO HTTP Request to a *.top domain
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request

General Info

wxbase328u_vc_x64_custom.dll

E00CFE72967DF9F730058D97AA51026C

8DCB6085765895DC07D2C9B82AB5B82161746EE1

43E9C21955277B99734960070D02A94EF00F943D35C2B5931BAF75D28105F787

98304:pU7RZrE7Tf0Pu0/Pd4TaaUaiLm+1mHdTau7fJo6o9d0/H95r62o/UyZnAsT/VoYq:A

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

RHADAMANTHYS has been detected (YARA)

SUSPICIOUS

The process checks if it is being run in the virtual environment

Executes application which crashes

Reads security settings of Internet Explorer

Reads Mozilla Firefox installation path

Loads DLL from Mozilla Firefox

Searches for installed software

Reads the BIOS version

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Manual execution by a user

Reads Environment values

Create files in a temporary directory

Process checks computer location settings

Checks proxy server information

Application launched itself

Process checks whether UAC notifications are on

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings